Fedora Weekly News Issue 125

In Announcements, we have "Fedora 9 Beta slipped a few days", "Michael Tiemann's Speech Online"
In Planet Fedora, we have "Fedora University Tour", "FUDCon Boston 2008 at the Red Hat Summit" and "Notacon 5"

We are always looking for more writers to help us deliver timely information to the Fedora community.

Announcements

Fedora 9 Beta slipped a few days

JesseKeating announces in fedora-announce-list[1] ,

"In order to give time for mirrors to sync up the Fedora 9 Beta bits, and
to do some last minute testing, and to avoid releasing beta the day
before a Holiday for a large part of the world, we have decided to delay
the release of Fedora 9 Beta until Tuesday, March 25th."

Fedora University Tour

"Just arrived in Pittsburgh after a 5 hour travel ordeal which should have normally taken no more than 3 hours. Didn’t faze me one bit though, because I’m running on pure adrenaline, PSYCHED for Carnegie-Mellon in a few hours. CMU faculty, students and staff and local geeks alike who are interested in being inspired and captivated please join me as I present “Crash: How a Billion Little Collisions Define Everything” at 5pm later today in Newell-Simon Hall."

FUDCon Boston 2008 at the Red Hat Summit

PaulFrields points out in his blog[1] ,

"If you or your employer is springing for attendance at the actual Summit itself, and you attended a previous Summit, you’re eligible for a special alumni rate. Check your email from the last week and you should find a note from the Summit organizers with a special promotional code that will get you a substantial discount. (I just want to make sure no one misses the chance to save a little cash.) If you feel you should have received the email and didn’t, let me know and I’ll see if I can’t get you fixed up."

Notacon 5

JeffreyTadlock points out in his blog[1] ,

Fedora has arranged to have a booth at the soon upcoming Notacon 5 in downtown Cleveland, Ohio. The event is held April 4th through the 6th and is described as “The Midwest’s most unique hacker con and demo party rolled into one!”

Ambassadors

Media Distribution and GPL Compliance

Fedora Project leader PaulFrields announced[1] guidelines on the Ambassadors mailing list for staying GPL compliant when distributing Fedora media at events. Paul made two main points in the email, the first being let people know the source code for the binaries on the CDs/DVDs is readily available at fedoraproject.org. The second was to be prepared to provide source on CDs/DVDs for people that want it on that form of media. Ambassadors can either make some source DVDs up prior to an event or be prepared to burn media at the booth if necessary.

Fedora Ambassadors should read the announcement in its entirety for all of the details.

Fedora 9 Release Day Parties

FrancescoUgolini invited[1] all Ambassadors to organize a release party or release event in their area around the time Fedora 9 is released at the end of April. These can be informal events with machines showing off the Fedora 9 release and include discussion between speakers and the public. If you are planning such an event Ambassador's can add it to the Fedora Events page. If an Ambassador needs assistance in organizing their release party please contact a FAmSCo member [3] for guidance.

Ambassadors Needed for Several Events

There are several EMEA events that need an Ambassador to attend listed on the Fedora Events page [1] . These events include Augsburger Linux-Infotag in Augsburg, Germany; Grazer Linuxtage in Graz, Austria; Linux Days in Geneva, Switzerland and Open Source Expo in Karlsruhe, Germany. If you can help with any of these events please add your name to the owner column and contact a FAmSCo member for assistance.

Advisory Board

Google Summer of Code 2008

PatrickBarnes has announced that Fedora has been accepted as a mentoring organization in this summer's Google Summer of Code program for aspiring open-source student developers[1] . Fedora will be working along side JBoss and the other Red Hat projects. The list of ideas for this year's GSoC program can be found on the Fedora Wiki[2] .

Infrastructure

Asterisk and Town Hall meeting

PaulFrields writes[1] on fedora-infrastructure-list

The Fedora Board should be doing another "town hall" style meeting on Tuesday April 1. In March we postponed plans until then to use Asterisk and Gstreamer to provide some sort of listening capability for community members. In the end there was an agreement on the fact that there should have been a ticket for things, rather than just asking for things on the list.

Artwork

Art Team Status

MairinDuffy send a message to the Fedora Art list[1] with a status update of the team. She talks about the default theme for Fedora 9, which was settled for Sulfuric Waves[3] , access policy for the Art group in the Fedora Account System, issues with the release process, the website banner for the Beta release and a Linux action podcast interview. NicuBuculei adds[2] to the list two more items: media (CD/DVD) labels and a release counter for the website.

Wells Fargo Online Safe-Deposit Box

It's no secret that even with a brick and mortar bank, you have to have a certain level of trust with a save-deposit box. But apart from a dishonest employee, the evildoers will have a rough time getting at your things. You would expect the bank to have at least, door locks, security cameras, motion detectors, and a big thick scary vault.

With an online storage system you really don't have all that many lines of defense. Let's presume the tech guys aren't thieves, and there are no flaws that could be used to gain access to your account. That means that the only real way in is to steal your "key". In the physical world, that might be as difficult as targeting you, knocking you down in the street, rummaging through your pockets, and finding the bank key. Then all you have to do is trick the bank into letting you actually use the stolen key, and taking whatever unusually important things I have stowed away in my box. In the tech world, I suspect stealing keys would go something like this:

Send out twelve billion phishing emails. Get some login credentials, steal their files.

The article mentions RSA tokens, which would help considerably, but they seem to suggest they are optional. I would be quite hesitant to put much faith in such a system if it doesn't offer multi factor authentication. Like most things though, I suspect this is just a case of making people feel all warm and fuzzy, since they don't really understand what's going on anyhow.

CERT-FI archive file fuzzing

There are a couple of things that will need to be fixed in Fedora and RHEL, they are currently being worked on, but this really brings up a much bigger question. How is this a security advisory? They gave out an archive of millions of fuzzed files, the vast majority of which don't even trigger bugs in the software in question.

I think fuzzing is extremely powerful, and is very useful for finding bugs and security issues. Until now, fuzzing has really focused on the tools that mangle the data, to produce data with errors and flaws that will trigger bugs. These tools are a dime a dozen at this point, so what CERT-FI did wasn't all that useful. It would have been far more useful had CERT-FI distributed their suite for generating the fuzzed files, or released a test runner. Currently, the hard part when fuzzing is actually running the tests. When something fails, it's helpful to know where and why it happened, and by the very nature of fuzzing, there will be many failures caused by the same bug.

This also begs the question, what's coming next? Given what I've seen of fuzzing, I think it's beginning to reach the end of its extreme usefulness. Once fuzzing stops returning quick and easy results, I imagine most researchers will move on to something better for finding their flaws. It's in the best interest of security researchers to quickly and easily find security issues.

This reminds me of strcpy usage a few years back. There were an incredible number of security bugs found back when nobody cared about how they handled strings. Most developers are now quite aware of this and the strcpy buffer overflows are rather uncommon. Modern compilers will now even complain about crummy string use. Fuzzing is really just finding bugs where developers don't verify user input. This is getting better, and eventually ensuring that user input is sane will likely just be common knowledge. It shall be interesting to see what clever researchers come up with next, but until then, keep up the fuzzing.

Security Advisories

In this section, we cover Security Advisories from fedora-package-announce.